[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problem with start of auditd on 2.6.13-2smp machine





Steve Grubb wrote:
On Tuesday 10 January 2006 14:31, Lisa Giacchetti wrote:

So I installed 1.0.3-6 which did have auditd chkconfig'd off by default.
Add I rebooted. It did not work. Well I should say that auditd is not
running but the messages are still there.


OK, your kernel does not have the patch, then. There's 3 options. You can try for a newer kernel, or patch the one you are using, or use auditd to eat up the messages but live with the error on boot. You will pay a performance penalty for enabling the audit system. I can dig up the kernel patch if you want to patch your kernel.


Yes I think this would be good. At some point we may want/need to have
auditing on so having it installed correctly is a good path to follow.


Using 1.0.3 might be the best solution if you have a kernel without the
patch to stop user space originating messages. Just set the log size low
and tell it to suspend logging when the file gets too big.

flush = INCREMENTAL
freq = 50
num_logs = 2
max_log_file = 1
max_log_file_action = SUSPEND

Won't I still have the problem of the error on start up?


Yes, but its harmless - your kernel doesn't support file system auditing.


Its like the -D option on line 5 is not a recognized option.


It is recognized, the error message is somewhat misleading (I think it was updated in later versions). It is saying that it tried to get the list of files being watched and the kernel didn't understand.

Good. I am comfortable with this.

I really don't care about the error as long as I know that
things are configured to not really start auditing.


Well, auditing comes in 2 layers. If auditing is enabled, all the syscalls will pass through the audit system system for inspection. There is a performance penalty for this. The other layer is when you have rules loaded that may trigger events. This will result in kernel audit messages.


Ok. I will keep this in mind if we decide turn auditd on before we
have the kernel patch. Some of these systems are already heavily
loaded and it might not be a good idea to do.

Thanks again for all your help!!

Lisa

-Steve


--

Lisa Giacchetti
Fermilab Computing Division
USCMS Tier1 Facility Support
lisa at fnal dot gov | 1-630-840-8023


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]